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*— • examination until the expiration of the applicable time limit set in 35 U.S.C. 371(b) and PCT Articles 22 and 39(1). 

4. □ A proper Demand for International Preliminary Examination was made by the 19th month from the earliest claimed priority date. 

5. □ A copy of the International Application as filed (35 U.S.C. 371(c)(2)) 

a. Q is transmitted herewith (required only if not transmitted by the fciternational Bureau). 

b. Q has been transmitted by the International Bureau. 

c. Q is not required, as the application was filed in the United States Receiving Office (RO/US). 

6. H| A translation of the International Application into English (35 U.S.C. 371(c)(2)). 

7. Q Amendments to the claims of the International Application under PCT Article 19 (35 U.S.C, 371(c)(3)) 

a. are transmitted herewith (required only if not transmitted by the International Bureau). 

b. Q have been transmitted by the International Bureau. 

c. have not been made; however, the time limit for making such amendemnts has NOT expired. 

d. Q^j have not been made and will not be made. 

8. [[] A translation of the amendments to the claims under PCT Article 19 (35 U.S.C. 371(c)(3)). 
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Serial or Patent No,: (to be 
Filed or Issued: 
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Address ..,> -'C^'-V.^' • 
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193029, Sa^-Betersbmg RUSSIA 


I hereby declare liial I qualify as ait ind^p^tidenf itov^tor as defined, in 3? GPR 1 £(c) fbr 
puiposes of paying reduced fees under section 41(a) of Title 35, United States Code, to 


a Kind fiS^S^natixre 31^ %i|K^tiiEs 'llbierefor described in 

a the specification filed herewith 

O application serial no, , filed on 

D Patent No. , issued on 

I have not assigned, granted, conveyed or licensed and am under no obligation 
under contract or law to assign, giant, convey or license, any rights in the invention to any 
person who could not be classified as an independent inventor under 37 CFR 1 .9(c) if that 
person had made the invention, or to any concern which would not qualify as a small 
business concern under 37 CFR 1 9(d) or a nonprofit oiganlzation under 37 CFR 1 .9(e), 

Each person, concern or organization to which I have assigned, granted, conveyed, 
or licensed or am under an obligation under contract or law to assign, gran^ convey, or 
license any tights in the invention is listed below: 

D no such person, concern, or organisation 

□ persons, concerns, or organizations, listed below * 
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CFR \m ■ 


r 


FULL NAME; 
ADDRESS; 


FULL NAME: 
ADDRESS: 
FULL NAME: 
ADDRESS: 


□ INDIVIDUAL 
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OJNDWIDUAL 

□ SMALL BUSINESS CONCERN 

□ NONPROFIT ORGANIZATION 

D INDIVIDUAL 

D SMALL BUSINESS CONCERN 
C NONPRO FI T ORGANIZATION 


I acknowledge the duty to file, in this application or patent, notification of any 
change in status resulting in loss of entitlement to snail entity status prior to paying, or 
at the time of paying, the earliest of the issue fee or any maintenance fee due after the 
date on whfchstatus as a smaitesfttfty is HbIongerappropri^. (37 C^R I.28(b}} ? 

I hemby declare that ajlstatements niadeherein of i^owii knowtedgeare true an^ 
that all statements made pn infonnaikin and belief are believed to be trse; arid further; 
that these statements weie ifiade with the fcnowisdge that willful false statements and 
the Kke so made are punishake by fine or imprisonment, or bofii, under Section 1001 of 
Title IS Qf the United States Code, and that such willful false statements may jeopardize 
the validity of the application, any patent issuing thereon* or my patent to which this 
verified declaration is directed. . 
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For Method for Maki^ a Blind ^ 
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□ appHcationsett^na. .filed on 

O Patent No. , issued on . • 

I have not assigned, granted, conveyed or licensed and am under no obligation 
under contract orlaw to assign, grant, convey or license, any rights in the invention to any 
person who could notbe classifiedas aniridepewi^tinyeiitor under 37 CFR 1.9(c) if that 
peison had made the invention, or to any concern which would not quality as a small 
business concern under 37 CFR 19(d) or a nonprofit oiganizatiori under 37 CFR 1.9(e). 

Each person, concern or c*ganizatiori to which I have assigned, granted, conveyed, 
or licensed or am under an obligation under contract or law fo assign, grants convey, or 
license any rights in the invention is listed below: 

D no such person, concern, or organization 

□ peisorts, concerns, or organizations listed below,* 
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organization having rights to the invention averring to their status as small entities. (37 
CER 1,27) 
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ADDRESS 
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ADDRESS: 


□ INDIVIDUAL 

□ SMALL BUSINESS CONCERN 

□ NONPI^f FT ORGANIZATION 


□ INDIVIDUAL 

0 SMALL BUSINESS CONCERN 
O NONFROFTf .ORGANgMlOW. 


□ INDIVIDUAL . 

0 SMALL SUSffffiSS CONCERN 


I acknowledge ihe duty to gle, in this application ori patent notification of any 
change in status iesultingin loss of entitlement to small entity status prior to paying, or 
at the time of paying, the eariie*t of the issue fee or any maintenance fee due after the 
date on which status as asihall entity Is nolongtSr appropriate. (37 <XR1.2&(b)i 

I hereby ^dficlaie thataiUtat^nenta madehei^in of my ownknowledge are tiue and 
that all statements made on irtforination and belief ate be^eved to be true; and further 
that these statement? wens made with the knowledge that willful felse statements and 
the like so made are punishable by fine or imprisonment, br fccrfh, under Section 1001 of 
Title 1 8 of the Uiiited States Code, and that such \\*JM false statements may jeopardize 
the validity of the application, aity patent issuing thereoii, or any. patent to which this 
verified declaration is directed, \ 


NAME OF INVENTOR 
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SIGNATURE OF INVENTOR 
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LACKENBACH SIEGEL MARZULLO ARONSON & GREENSPAN, RC SE-B-i 
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8 the specification filed herewith 

□ application serial no, .filed on 

□ Patent No, , issued on 

I have not assigned, granted, conveyed or licensed and am under no obligation 
under contract or law to assign, grant, convey or license, any rights lathe invention to any 
person who could not be classified as an independent inventor under 37 Ok 1.9(c) if that 
person had made the invention, or to any concern which would not qualify as a small 
business concern under 3? CFR 19(d) or a nonprofit organization under 37 CFR 1.9(e). 

Eachperson, concern or organization to which 1 have assigned, granted, cotiveyed, 
or licensed or am under an obligation under contract or law to assign, grant, convey* or 
license any rights in the invention is listed below: 

□ no such person, concern, or otganfeation 
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□ INDIVIDUAL 

O SMALL BUSINESS CONCERN 

□ INDIVIDUAL 

□ SMALL BUSINESS CONCERN 

□ NONPROFIT ORGAferiQN 



□ INDIVIDUAL 

O SMALL BUSINESS CONCERN 

□ NONPROFIT QRGAKgA-nON 


1 acknowledge the duty to file, in this application or patent, notification of any 
change in status insulting jn kiss of entitlement to small enffly status prior to paying, or 
at the time of paying, due earliest of the issue fee or any maintenance fee due alter the 
date on which statejs as a small entity is no longer appropriate, (37 CFR i i28(b)} 

Iheieby declare Ihal all statements made herem^ 
that all statements made on infoimation and belief afle believed tip be true; and further 
tiiat these statements were made with the knowledge that v^Ufiil false statements and 
the like so made are punishable fcy fine or imprisonment, or bofh, under Section 1001 of 
Title 18 of the,United States Code, and that such vrill&i false statements may jeopardise 
the validity of the application, any patent issuing thereon, &r any patent Is which ilils 
verified declaration is directed. 

NAME OF INVENTOR 
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SIGNATURE dj? INVENTOR 



DATE 


LACKENBACH SflSGEL MARZULLO ARGNSON & GREENSPAN, F S C. SE-B-! 


QT 


HDFL 05 1999 CTP4 


914 723 4288 P. 13/27 


ifpr:. Method ^ 
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and Apparatus Therefor 


, As one.pfthe five below named inventors, 








Aridtey<3©^<^ 


, ■ ■ ^...v-' ._ • ■ . 

I91126;stol^st»ros RUSSIA 




Jhereby declare that 15118% as an independent iiiventorite def|^i|n37 (^ 1.9(c) for 
purposes of paying redu^ tti^^-pv^Stalm Code, to 

thspatetgarai^ " 
a ftind RSA-Sign^ture and Apparatus Therefor desxrritted in 


a ; theipecilicaticai filed herewith 

□ application aerial no. 

Q Patent No. . issued on 


, filed oh 


1 have not assigned, granted} conveyed or licensed and am under no obligation 
under contractor law to assign, grant, convey or license, any rights in the invention to any 
person who could not be classified as an independent inventor under37 CFR 1 .9(c) if that 
person had made the invention, or to any concern which would not qualify as a small 
business concern under 37 CFR 19(d) or a nonprofit organization under 37 CFR 1 .9(e). 

Each person, concern or organization to which I have assigned, granted, conveyed, 
or licensed or am under an obligation under contract or law to assign, grant, convey, or 
license any eights in ihe invention is listed below; 

□ no such pereon, concern, or organization 

□ persons, concerns, or organizations listed below.* 


□T 


HOMEP TEfEPOm 


HQS. 35 1999 19:19 CTP3 
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Note: Separate verified statements am required from each named person, concern or 
organization having rights to the invention averring to their status as small entitles (37 
CfRI;27) 

Ft 


FULL NAME: 
ADDRESS; 


ADDRESS: 



FULL NAME: 
ADDRESS: 


□ INDIVIDUAL 

□ SMALL BUSINESS CONCERN 
O NONPROFIT 0R0ANIZA1I0N 


□ INDIVIDUAL 

□ SMALL BUSINESS CONCERN 
U NOWPROFT T ORQAKBA-nON 

D SMALL BUSINESS CONCERN 
m NONPROFIT ORGANIZATION 



I acknowledge the duty to file, in this application or' patent notification of any 
change in status resulting in loss of entitlement to small entity status prior to pping, or 
at the time of paying, the earliest of the issue fee or any maintenance fee due after the 
d&eoriwhk&stat^ 

: IherebydeclarethataUstatementemadeherelnofmyownto^ 
that afJ statements made on information and belief are believed to be true; and further 
that these statements Were made with the knowledge that willful false statements and 
the like stfmade am punishable by fine or imprisaiwn^ru, orbutti, Wilder SectJon 1001 of 
Title 18 of the United States Code, and that such willful fojse statements may jeopardize 
the validity of the application, any patent issuing thereon, pr any patent to which this 
verified deciaraticm is (firected. 


NAME OF INVENTOR 


I Atexatidr Leomdovkh SMJENOV ' 
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SIGNATURE OF INVESTOR 
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DATE 



.11 
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LACKENBACH SIEGEL MARZULLQ ARONSGN & GREENSPAN, P.C. SE-B-1 


DT . • HDMEP TEflEQOHPi : 

Appucam or fatentee: Zalotorev et ai 

Serial pr Patent No.: (to be assigned) 
Filed or Issued: ■ ■ ■-. ' ■ p '' . 


As one of the b^ownam^ inventorSt 


" ' , nil' ■ , 

Inventor ■ :'^f' : :: : ; , 

Addtass ' « ■>-v^.v^^'C-\.. ,: >v ; v. - \ 


Sosaovy bor,^t' Mblqij§ga^ 25, kvio 
188537, Leaiagr^f^^ 

! Iviacn vWlirairovich KtJZ^ISOy- 

191123, SaM«Sl^^ : ;^tJS§lA ^ 

Audrey Genna^evicfc I^^^iSpN 1 

191123, Sapt-Pe^isijttrg RUSSIA 


ui. i-TOSKJSVSKsaga, 36^ fcv. 8 ! '. 1 '•' ^ 
191126, fiBh^tei?m^m^S^ 


Ul. BabuaEtina, ^koqp. 2, kv, 45 " 


I hereby declare that 1 ^uaiir| as aii indepondeiit inventor as defined in 37 CFft -i#(c) fer 
purposes -of paying 'jse&iesri fofrund^teeftii 41(a) o^lltie 35, Onjfe^ States £bde, to 
the Patent and Trademark^^ 

a Blind RSA-Sigcalur^ and Apparatus Therefor dcscri v 

8 the specification filed herewith 

O apptieatiori serial no. , filed on 

O PatentNo. issued on . .'" • 

I have not assigned, granted, conveyed or licensed and am under no obligation 
under contract or law to assign, grant, convey or license, any rights fn the inywitinnto 
GWIfinWhi'i r-i mid tint I» uljiuulftud w eA^.j^^ij Jciu luvtjniorunaer 3/ uhK 1 .9[cj if that 
peftonhadjiiadethe ^ IU , , n 

1 1 .„JL. U ^1 or a nonprofit organization under 37 CFR 1.9(e). 

EachpeRoRi conr.em nr organisation to which I We assigned, granted, coitveved. 
or license nr am undo*- an obligation under coniract or Jaw to assign, grant, convey or 
license any nghts in the invention is listed below: 

□ no such person, concern, or organization 

□ persons, concerns, or organizations listed below.* 


HOH. 05 1999 19:10 CTP9 


.Dod^^ P-Q0pMG 



QT 


l-IDMEP TEfiEfllOHA 


HQS. 
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Note; Separate verified statements are required from each named person, concern or 
organization having lights to the invention averring to their status as small entities. (3? 

□ SMALL MJ9INE3& OOfiWHW-i 



□INDIVIDUAL 

Q SMALL BUSINESS CONCERN 
□ NONPROFIT ORGANIZATION 


□ SMALL BUSINESS CONCERN 

□ NONPwDprr moAMhimn 



1 acknowledge the duly to file, in this application or patent, notification of any 
change in status resulting in loss of entitlement to small entity status p*k%r to paying, or 
at the time of paying, the earliest of the issue fee or any maintenance fee due after the 
date on vylto stahis as a s 

Iherafydeclarathatatts&tem 
that all statements made on information arid belief are believed to be true; and further 
fhat these statements were made with the knowledge that willful false statements and 
the like so made are punishable byline or imprisonment, or both, under Section 1001 of 
Title 1 8 of the United States Code, and that such willful false statements may jeopardize 
this validity of the application, any patent issuing thereon,, or any patent to which this 
verified declaration is directed. 


NAME OF INVENTOR 


Bdar Magafurovioh KHAMTTOV 


SfGNATL'RE OF INVENTOR 



DATE 


I A/ox/, s j j 0 $g 

' ■t- 1 "-nnwrniir i| i i 


LACKENBACH SIEGEL MARZULLO ARONSON & GREENSPAN. P.C. $E-B- 


I/P12.T5 09 /M 5 385 

423 Rec'd PCT/PTO 0 6 DEC 1999 

METHOD FQBJflAjg&G^ 

AND APPARATUS THEREFOR 


Field of the invention 

The invention relates to cryptographic systems, and more particularly to systems utiliz- 
5 ing digital signatures. 

Background of the invention 

Digital signatures are widely used in practice and play a role similar to the role of the 
usual hand-written signature. The advantages of the digital signature lie in the fact that its 
authenticity is easy to verify, its falsification is very difficult, and furthermore, the digital 

10 signature can easily be transmitted via telecommunication channels. Systems utilizing 
digital signature operate on data that are stored on a suitable material storage media and 
admit digital representation. 

In the RSA-scheme, called so by the names of its inventors (R. L. Rivest, A. Shamir, L. 
M. Adleman, Cryptographic Communications System and Method, U.S. Patent 4,405,829, 

15 20 Sep 1983), data are represented by integers from a certain residue system modulo an 
integer N, called the RSA-module. One usually takes the integers from 0 to N-l as a resi- 
due system. For the sake of definiteness, notions related to the RSA-scheme (A. J. Me- 
nezes, P. C. Van Oorshot, S. A. Vanstone, Handbook of Applied Cryptography, CRC 
Press, 1997, p. 285, 433) may be equipped by the prefix RSA, for example: RSA-signature, 

20 RSA-encryption, RSA-key, RSA-exponent, etc. 

The data S satisfies a digital RSA-signature property related to the data M with respect 
to the RSA-key with module N and exponent E, or in other words, S is a digital RSA- 
signature on the data M, if M = S E (mod N), where the RSA-key means arbitrary data de- 
termining the module and exponent, and the formula A = B (mod N) means that A and B 

25 are congruent modulo N, i.e., the integer (A - B) is divisible by N without a remainder. 

A digital RSA-signature on the data M can be made by a RSA-encryption of the data M, 
when a signer secret RSA-key corresponding to a public RSA-key with module N and ex- 
ponent E is used as an encryption key. Here, the RSA-encryption means a processing of 
the data X resulting in obtaining a data Y satisfying the relation Y = X c (mod N), where C 

30 and N are the exponent and module of the encryption RSA-key, respectively. The corre- 
spondence of two RSA-keys means the possibility of verifying the digital RSA-signature 
made by one RSA-key with the help of the other RSA-key, or what is the same, the possi- 
bility of decryption of the data encrypted by one key with the help of the other key. The 
correspondence of the RSA-keys with exponents A and B and module N is ensured by the 

35 condition A-B = 1 (mod cp(N)), where <p(N) is the number of the residues coprime to N. 

However, making a digital RSA-signature on the initial data M by directly RSA- 
encryption the initial data with the help of the signer secret RSA-key does not ensure the 
privacy of the suppliers, since the initial data to be signed are accessible to the signer 
when making the signature. This is clarified in the article D. Chaum, Blind signatures for 

40 untraceable payments, Advanced in Cryptology - Proceedings of Crypto 82, 1983, p. 199- 
203, where Chaum introduces the concept of blind digital signature, which is intended for 
overcoming this deficiency. 

Known in the prior art is a method for making a blind digital RSA-signature (D. Chaum, 
Blind Signature Systems, U.S. Patent 4,759,063, 19 Jul 1988), in which the supplier wish- 


2 

ing to obtain a digital RS A-signature on the initial data M chooses the randomized blinding 
key R and develops blinded data M 1 by the formula M 1 = R E M (mod N), where E is the ex- 
ponent and N is the module of the public RSA-key. The blinded data are given to the 
signer, who returns a digital RSA-signature S' on the blinded data to the supplier. The sup- 
5 plier completes obtaining the digital RSA-signature S on the initial data by unblinding the 
obtained digital RSA-signature on the blinded data with the help of the formula S s S'-R" 1 
(mod N). The known method ensures untraceability, i.e. practical impossibility for the 
signer who obtains afterwards signatures on numerous initial data, to establish the corre- 
spondence between these signatures and the processed blinded data. However, the known 

10 method does not allow to obtain a blind digital RSA-signature without knowing the kind of 
signature in advance, since the exponent E of the public key determining the kind of sig- 
nature is used for developing the blinded data. 

Known in the prior art is a method for making a blind unanticipated digital RSA- 
signature (D. Chaum, Blind Unanticipated Signature Systems, U.S. Patent 4,759,064, 19 

15 Jul 1988), which is the closest analog of the present invention and is chosen by the appli- 
cant as the prototype. In this method, a collection of admissible public RSA-exponents 
Ei,. . E k and a collection of data (gi, ... , g u ) called generators are used. For each genera- 
tor gj, digital RSA-signatures Sy corresponding to each of the admissible public RSA- 
exponents Ei are published. The supplier takes the collection (ki,. . . ,k u ) as the randomized 

20 blinding key R and develops blinded data M' by the formula MP = M-gi kl < . . . -g u ku (mod N), 
where N is the module of the public RSA-key. The blinded data M* is given to the signer, 
who chooses the kind of signature, i.e., chooses that admissible public RSA-exponent Ei to 
which the obtained digital RSA-signature corresponds. The digital RSA-signature S' on the 
blinded data corresponding to the chosen public RSA-exponent Ei, together with the in- 

25 formation on the chosen public RSA-exponent Ei, is given to the supplier. The supplier 
obtains the digital RSA-signature S on the initial data by unblinding the RSA-signature S* 
with the help of the formula S = S'*S u " kl . . *Si, u ' ku (mod N). 

In the known method for making a blind unanticipated digital RSA-signature, the un- 
traceability is ensured by certain properties of the generators with respect to secret RSA- 

30 keys, in which connection testing the suitability of the generators by the "cut and choose" 
method is used. The signature in the known method is called unanticipated because at the 
moment of giving the blinded data to the signer, the supplier does not know the kind of 
signature, i.e., the public RSA-exponent, to which the signature to be made will corre- 
spond. 

35 The deficiencies of the known method are in that the number of kinds of the obtained 
RSA-signature is limited decreasing its unanticipatability, the probability of an error in- 
creases in making the signature, and the number of the kinds of signature slows down the 
rate of making the signature. The indicated deficiencies are caused by the necessity to per- 
form the unblinding with the help of data which volume grows proportionally to the num- 

40 ber of the kinds of signature, and in turn, the data themselves require additional resources 
and time for their storage and processing. Moreover, the known method has an insufficient 
trustworthiness of the untraceability, since the suitability of the data communicated by the 
signer, in particular, of the generators, is verified by a third party, and not directly by the 
supplier. 


Known in the prior art is an apparatus for making a blind digital RSA-signature (D. 
Chaum, Blind Signature Systems, U.S. Patent 4,759,063, 19 Jul 1988). However, this ap- 
paratus is not sufficient for making a blind unanticipated digital RSA-signature. 

Known in the prior art is an apparatus for making a blind unanticipated digital RSA- 
5 signature (D. Chaum, Blind Unanticipated Signature Systems, U.S. Patent 4,759,064, 19 
Jul 1988), which is most close to the claimed apparatus and is chosen by the applicant as 
the prototype. The known apparatus consists of a blinding key choice unit including a ran- 
dom-number generator, a blinding unit, a signature unit, and an unblinding unit. The 
blinding unit has an initial data input and a blinding key input and comprises a modular 
10 exponentiator whose module input is connected to the module input of the blinding unit, 
and whose exponent input is connected to the blinding key input of the blinding unit. The 
signature unit has a secret key input and a signing data input connected with an output of 
the blinding unit. The unblinding unit has a module input, an exponent input, a blinding 
key input, an unblinding data input connected with an output of the signature unit, and an 
1 5 output for outputting the digital RSA-signature on the initial data. 

The deficiencies of the known apparatus are in that it does not allow to use an unlimited 
number of kinds of signature when making a blind digital RSA-signature, which decreases 
the unanticipatability of the RSA-signature to be made, and in the case of employment of 
this apparatus, the probability of errors when making the signature increases and the num- 
20 ber of kinds of signature slows down the rate of making the signature, which is caused by 
the necessity to enter certain data into the unblinding unit, and a procedure of searching 
these data requires time growing proportionally to the number of kinds of signature. 

Summary of the invention 
The main problem solved by the variants of the claimed invention is to create a method 
25 for making a blind digital RSA-signature and an apparatus for realization thereof, which 
ensure untraceability and high unanticipatability when making the digital RSA-signature, 
and also admit rapidly making a blind digital RSA-signature with relatively small re- 
sources. 

The technical result common to all suggested variants of the present invention, which is 
30 achieved by their realization, is that in making a blind unanticipated digital RSA-signature, 
it is possible to use an unlimited number of kinds of signature, it is not necessary to use 
technical resources growing with the increase of the number of possible kinds of signature, 
and means for storing large volumes of data and searching in them, which leads to the ac- 
celeration of making a blind digital RSA-signature and to increasing its reliability. In addi- 
3 5 tion, the trustworthiness of the untraceability increases for the reason that the properties of 
the data ensuring the untraceability can be tested, in some of the claimed variants, by the 
supplier himself. 

The claimed method for making a blind digital RSA-signature is intended exclusively 
for a hardware or computer realization, since the digital RSA-signature itself admits only 
40 the hardware or computer realization (R.L. Rivest, A. Shamir, L.M. Adleman, Crypto- 
graphic Communications System and Method, U.S. Patent 4,405,829, 20 Sep 1983). 

In the description of the invention, known means implementing basic arithmetical func- 
tions and basic functions of modular arithmetic are used. Such means can work with data 
representing integers of suitable length. To make the terminology more precise, functional 


definitions of the used apparatuses are given in what follows. By a modular multiplier a 
device with a module input and two argument inputs is meant such that if an integer N is 
fed to the module input, and integers X, Y are fed to the argument inputs, then an integer Z 
such that Z = X Y (mod N) appears at the output. By a modular inverter a device with a 
5 module input and an argument input is meant, such that if an integer N is fed to the module 
input, and an integer X, which is coprime to N, is fed to the argument input, then an integer 
Y such that X*Y = 1 (mod N) appears at the output. By a modular divider a device with a 
module input and a dividend and divisor inputs is meant such that if an integer N is fed to 
the module input, an integer X is fed to the dividend input, and an integer Y coprime to N 

10 is fed to the divisor input, then an integer Z such that Z Y = X (mod N) appears at the out- 
put. By a modular exponentiator a device with a module input, base input, and exponent 
input is meant such that if an integer N is fed to the module input, an integer X is fed to the 
base input, and an integer E is fed to the exponent input, then an integer Z such that Z == X E 
(mod N) appears at the output. By a coprimality tester a device with two inputs is meant 

1 5 such that if two integers A and B are fed to the inputs, then at the output the Boolean value 
'TRUE 1 * is obtained if the greatest common divisor of A and B is equal to 1, and the Boo- 
lean value "FALSE" otherwise. 

A number of variants of the method for making a blind digital RSA-signature are sug- 
gested. 

20 Below, a description of the method for making a blind digital RSA-signature by the first 
variant is given. The description is intended to describe the method for making a blind 
digital RSA-signature by the first variant, and should not be taken to limit the scope of the 
claimed invention, which is described more fully elsewhere in the present specification. 
The signer chooses prime numbers of suitable size as secret factors of the RSA-module 

25 N, and two secret factors are chosen in the best mode. In addition, at least one admissible 
public RSA-exponent is chosen. Admissible public RSA-exponents, i.e., public RSA- 
exponents, such that when making the digital RSA-signature it is allowed to use a secret 
RSA-key corresponding to each of them, can be chosen by the signer, the supplier, jointly 
by the supplier and the signer, or in any other arbitrary way. 

30 When making the digital RSA-signature on the initial data M, the supplier takes as the 
randomized blinding key an integer R, which is divisible by an arbitrarily taken masking 
factor G and coprime to each admissible public RSA-exponent. The randomization of R, 
i.e., introducing an element of chance into the choice of R, can be implemented, for exam- 
ple, with the help of a random-number generator or by other means. 

35 By a random-number generator a device is meant, at which output data of suitable size 
are obtained, preferably unpredictable for a party not having control of the work of such a 
device. Such devices are well known in the art. In particular, "pseudo-random" number 
generators can be used as the random-number generators. 

The coprimality of the randomized blinding key with each admissible public RSA- 

40 exponent is achieved, in particular, either by correcting the output data of the random- 
number generator with the help of admissible public RSA-exponents, or by testing the out- 
put data of the random-number generator. The divisibility of the randomized blinding key 
by the masking factor G is achieved, in particular, by correcting the output data of the ran- 
dom-number generator with the help of the masking factor. 


Using the blinding key R, the supplier blinds the initial data M and develops on their 
base blinded data M f with the help of the RSA-encryption of the initial data by the encryp- 
tion RS A-key which module coincides with the RSA-module N, and which exponent coin- 
cides with the blinding key R Such an encryption can be carried out, in particular, by a 
5 modular exponentiator. The blinded data M* satisfy the relation M = M R (mod N). The de- 
veloped blinded data M' are given to the signer, who develops a digital RSA-signature S 1 
on the blinded data with the help of the secret RSA-key corresponding to an arbitrary ad- 
missible public RSA-exponent E. Here, by the correspondence of a secret RSA-key to a 
public RSA-exponent E the correspondence of the secret RSA-key and the RSA-key to the 
10 module N and the exponent E is meant. The digital RSA-signature S' on the blinded data 
M' can be developed, in particular, with the help of a modular exponentiator, and the cre- 
ated digital RSA-signature S' on the blinded data M' satisfies the relation S' = (M') D (mod 
N). 

Making the digital RSA-signature S on the initial data M is completed by unblinding the 

15 digital RSA-signature on the blinded data. The theoretical possibility of unblinding follows 
from the relation S s (S') A -M B (mod N), where A and B are arbitrary integers satisfying the 
condition AR + B E = 1, and from the coprimality of the blinding key R and the public 
RSA-exponent E, which is ensured by choosing the blinding key R to be coprime to each 
admissible public RSA-exponent. In practice, the unblinding transformation is performed 

20 by entering the digital RSA-signature on the blinded data S 1 , the blinding key R, the RSA- 
module N, and an admissible public RSA-exponent E into a suitable unblinding converter, 
at which output the digital RSA-signature S on the initial data M is obtained. Such an un- 
blinding converter can be realized, for example, by the modular multiplicative Euclidean 
converter (MMEC), i.e., a device with a module input, two base inputs, two corresponding 

25 exponent inputs, and an output, such that if a positive integer N is fed onto the module in- 
put of the MMEC, an integer X coprime to N is fed onto one of the base inputs, an integer 
A is fed onto the corresponding exponent input, an integer Y coprime to N is fed onto the 
other base input, and an integer B coprime to A is fed onto the corresponding exponent in- 
put, then at the output an integer Z such that Z = X°- Y D (mod N) is obtained, where C and 

30 D are arbitrary integers satisfying the relation A-C + B*D=L To confirm the readability of 
an MMEC, the applicant describes an example of a concrete realization of an MMEC and 
of its performance in Example 5 given below. Other examples of MMEC could be imple- 
mented by those skilled in the art on the basis of the known information. For example, the 
integers C and D can be determined from the integers A and B with the help of a device 

35 implementing the familiar generalized Euclid algorithm (D. Knuth, The Art of Computer 
Programming, Vol.2, Seminumerical Algorithms (Russian translation), Mir Publishers, 
Moscow, 1977, pp. 367-368), after which Z can be obtained with the help of a modular ex- 
ponentiators and a modular multiplier. 

The untraceability in the method for making a blind digital RSA-signature by the first 

40 variant is ensured, in particular, by choosing the secret factors and the masking factor 
which ensure the suitable blinding level. By the blinding level the probability is meant of 
the fact that for random initial data X uniformly distributed among all the invertible resi- 
dues modulo N, and random independent data Yi and Y2 uniformly distributed among the 
invertible residues modulo N that are G-th powers modulo N, the probability of obtaining 
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Yi by blinding X is equal to the probability of obtaining Y 2 by blinding X. If the blinding 
level is close to the unity, then practically every blinded data can correspond with equal 
probability to practically every initial data, which ensures the untraceability. Smaller val- 
ues of the blinding level ensure smaller untraceability. For example, if the blinding level is 
5 close to one third, then, in the general case, for a large number of initial data, the signer can 
couple individual initial data with one of the three groups of blinded data. Here, within 
each of the three groups, all correspondences between the initial data and the blinded data 
will be equiprobable. In practice, the acceptability of such level of untraceability depends 
on the problem to be solved. 
10 The predetermined blinding level is ensured, in particular, by choosing the RSA-module 
corresponding to exactly two secret factors P and Q and by choosing the masking factor G 
to be a multiple of the greatest common divisor of the numbers P-l and Q-l, and also a 
multiple of all divisors of each of numbers P-l and Q-l that are less than a predetermined 
bound U. 

1 5 The choice of an appropriate bound U, in particular, is ensured by the fact that if one 
chooses exactly two secret factors P and Q and a masking factor G which is divisible both 
by the greatest common divisor of the numbers P-l and Q-l and by all divisors of each of 
the numbers P-l and Q-l that are less than U, then the blinding level is greater than (1 - 
Log(N)/[U*Log(U + l)]) 2 For example, if the RSA-module has a length of 1024 bits and U 

20 =10 8 , then the blinding level is greater than 1- 4* 10" 7 This estimate is confirmed by the fact 
that the blinding level is at least (1- W) 2 , where W is the probability of the fact that the set 
of all blinded data that can be developed on the basis of the initial data M randomly and 
uniformly distributed among all invertible residues modulo N, i.e., the set of the invertible 
residues of the form M R (mod N), where R runs through all integers divisible by G, coin- 

25 cides with the group Z of all invertible residues of the form C G (mod N), where C runs 
through all invertible residues modulo N. The probability W does not exceed 1-11(1- L* ), 
where the product is taken over all prime divisors L of (P - 1)*(Q - 1) that are greater than 
U. In particular, the probability W is less than Log(N)/[U-Log(U +1)]. 

The divisibility of the masking factor G by all divisors of each of numbers P-l and Q-l 

30 that are less than a predetermined bound U, is ensured, in particular, by the fact that, when 
choosing the secret factors P and Q, one tests whether they are congruent to the unity 
modulo all divisors that are greater than 2 and less than U, and after testing, the masking 
factor is chosen to be divisible by all divisors that are less than U, and modulo which is 
congruent to the unity at least one of the chosen secret factors. 

35 In addition, the divisibility of the masking factor G by all divisors of each of the num- 
bers P-l and Q-l that are less than a predetermined bound U, is ensured, in particular, by 
the fact the secret factors P and Q are chosen so that P-l and Q-l are not divisible by any 
of the divisors that are greater than 2 and less than a predetermined bound U and that do 
not divide the chosen masking factor G 

40 The divisibility of the masking factor G by the greatest common divisor of the secret 
factors decremented by 1 is ensured, in particular, by additionally pairwise testing the se- 
cret factors for congruence with 1 modulo all those divisors which are greater than 2. Fur- 
thermore, the divisibility of the masking factor G by the greatest common divisor of the 
numbers P-l and Q-l can be ensured by taking the masking factor G to be even, and tak- 


ing the secret factors P and Q so that the greatest common divisor of the numbers P-l and 
Q-l is equal to 2. 

In addition, the divisibility of the masking factor G by the greatest common divisor of 
the numbers P-l and Q-l is ensured, in particular, by taking the masking factor G to be a 
5 multiple of the greatest divisor of N-l that is coprime to the chosen admissible public 
RSA-exponents. In this case, the fact that G is a multiple of the greatest common divisor of 
the numbers P-l and Q-l is confirmed by the fact that N-l is divisible by all common di- 
visors of P-l and Q-l, since N-l = (P-l)Q + (Q-l). What is more, the divisibility of the 
masking factor G to be chosen by the greatest divisor of N-l coprime to the chosen admis- 

10 sible public RSA-exponents is ensured by choosing admissible public RSA-exponents to 
be coprime to N-l and by choosing the number N-l as the masking factor G. 

High unanticipatability of the method for making a blind digital RSA-signature by the 
first variant is ensured, in particular, by an arbitrary choice of the secret RSA-key corre- 
sponding to the chosen secret factors and to an arbitrary admissible public RSA-exponent 

15 and by choosing an arbitrarily large set of admissible public RSA-exponents, each of 
which corresponds to a certain kind of the signature. The choice of the kind of signature, 
i.e., of the public RSA-exponent corresponding to the secret key that is used when making 
a signature on the blinded data, can be performed by the supplier, by the signer, jointly by 
the supplier and the signer, or in a different way. 

20 Furthermore, the high unanticipatability of the method for making a blind digital RSA- 
signature by the first variant is ensured by the fact that blinding the initial data does not re- 
quire the admissible public RSA-exponents themselves, and it is only required to ensure 
the coprimality of the blinding key with each admissible public RSA-exponent. Such a 
choice, even for a very large set of admissible public RSA-exponents, can be performed 

25 very effectively. For example, if, when choosing admissible public RSA-exponents, one 
chooses at least one basic public RSA-exponent, and an arbitrary public RSA-exponent, 
whose divisors are divisors of the chosen basic public RSA-exponents, is taken as the ad- 
missible public RSA-exponent then the choice of the blinding key coprime to each of the 
admissible public RSA-exponents is performed by testing its coprimality with each of the 

30 basic public RSA-exponents. The set of the basic public RSA-exponents can be given, for 
example, by explicit enumeration, by indication of its boundaries, or by other means. For 
example, if the integer Lr...-Lk ? is chosen as the basic public RSA-exponent, then the set 
of admissible public RSA-exponents is practically unlimited, since every integer of the 
form Li^-.-.-Lk^, where Ki,... , Kk are nonnegative integers, can be chosen as an admis- 

3 5 sible public RSA-exponent. 

As indicated above, the untraceability in the method for making a blind digital RSA- 
signature by the first variant is ensured, in particular, by choosing the RSA-module corre- 
sponding to exactly two secret factors P and Q and by choosing the masking factor G to be 
a multiple both of the greatest common divisor of the numbers P-l and Q-l and of all di- 

40 visors of each of the numbers P-l and Q-l, which are less than an appropriate predeter- 
mined bound U. The suppliers can check these properties of the secret factors and of the 
masking factor with the help of the known method "cut and choose" and without disclosing 
the secret factors by the signer. More precisely, the signer initially chooses a large number 
of sets of RSA-modules and masking factors and makes them public. The suppliers' repre- 


sentative chooses a sufficiently large part of the published sets, after which the signer dis- 
closes the corresponding secret factors for each set chosen by the suppliers' representative. 
Haying the secret factors, the suppliers' representative checks the properties of the secret 
factors and of the masking factor in the chosen sets. Thus, the suppliers' representative 
5 convinces himself indirectly of the correctness of the choice of the secret factors and the 
masking factor in the sets not chosen by him, one of which is used by the signer for mak- 
ing the signature. 

Furthermore, the trustworthiness of untraceability in some variants increases for the rea- 
son that the properties of the data ensuring the untraceability can be tested by the supplier 

10 himself, and not by his representative, at an arbitrary moment of time. Namely, as indi- 
cated above, the untraceability, in particular, is ensured by the fact that the RSA-module is 
the product of exactly two secret factors P and Q, and that the masking factor is divisible 
by all divisors of P-l and Q-l which are greater than 2 and less than a certain predeter- 
mined bound U. In this case, the supplier can check the mentioned properties of the RSA- 

15 module and the masking factor with the help of the signer, however, without confiding to 
the signer or to a third party. Here, the signer confides his secrets to no third party. 

Testing the fact that the RSA-module N is the product of exactly two prime factors can 
be implemented, in particular, as follows. The signer communicates to the interested par- 
ties a pair of numbers (U, V) such that each invertible residue modulo N, multiplied by a 

20 quadratic residue modulo N, is congruent to one of the numbers { 1, U, V, UV} modulo N. 
After that, the supplier can test the property of N indicated above with the help of the 
signer, for example, as follows. The supplier gives a random number X to the signer, who 
returns to the supplier the data Y such that Y 2 -X l (mod N) e {1, U, V, UV}. Every such 
an answer reduces the probability of the fact that N consists of more than two factors, at 

25 least, by one half. For the signer security, it could be required that X is either a prime num- 
ber not exceeding a certain predetermined bound, or a value taken by a certain crypto- 
graphic hash-function (A. J. Menezes, P. C. Van Oorshot, S. A. Vanstone, Handbook of 
Applied Cryptography, CRC Press, 1997, p. 321) on a value shown by the tester. Further- 
more, if the answers to such requests are obtained for all prime numbers X less than a cer- 

30 tain explicit bound, then the supplier can be sure that N is the product of at most two prime 
numbers, since if the RSA-module N is the product of at least three prime numbers and for 
each prime odd number L less than T there is a residue X modulo N such that L X 2 (mod 
N) belongs to the set {1, U, V, UV}, then the generalized Riemann hypothesis which, 
though not proved mathematically, has been verified experimentally to a large degree, im- 

3 5 plies that T is less than C[Log (N)] 2 , where the value C can be obtained with the help of the 
known estimates (J. Oesterle, Versions effectives du theoreme de Chebotarev sous l'hy- 
pothese de Riemann generalisee, Soc. Math. De France, Asterisque 61, 1979, p. 165-167). 
In particular, it is sufficient to take C = 70. 

To verify that the masking factor is divisible by all divisors of P-l and Q-l that are 

40 greater than 2 and less than a certain predetermined bound U, it is sufficient for the sup- 
plier to ascertain that for each integer L which is less than a predetermined bound, does not 
divide the masking factor G, and is either an odd prime number or equal to 4, P-l and Q-l 
are not divisible by L. For this purpose, in the case of an odd L, the supplier sends a re- 
quest R to the signer and receives the answer R 1/L (mod N). Every such an answer to a re- 


quest lowers by a factor L the probability of the fact that P-l or Q-l is divisible by L. For 
the signer security, one could require that R either be less than a certain bound or be the 
value taken by a certain cryptographic hash-function on the value indicated by the supplier. 
Furthermore, if the answers to such requests are obtained for all prime numbers R less than 
5 a certain explicit bound, then the supplier can be sure that P-l and Q-l have no odd prime 
divisors L less than a certain predetermined bound, since if N is divisible by an odd prime 
number P, and P-l is divisible by an odd prime L, and for each residue R modulo N, where 
R is less than a predetermined bound T, there is a residue A such that A L = R (mod N), 
then the generalized Riemann hypothesis implies that T is less than D(Log N) 2 , where the 

10 value D can be obtained with the help of the known estimates (J. Oesterle, Versions effec- 
tives du theoreme de Chebotarev sous l'hypothese de Riemann generalisee, Soc, Math. De 
France, Asterisque 61, 1979, p. 165-167). In particular, it is sufficient to take D = 70. In- 
stead of verifying the fact that P-l and Q-l are not divisible by L for each individual L, it 
is sufficient to verify this property for a set of numbers Ai, A s , such that each prime 

15 number that is less than a certain predetermined bound divides at least one of the Ai. The 
supplier can make sure that P-l and Q-l are not divisible by 4 in the following way. First, 
having checked that that P-l and Q-l are not divisible by 3, the supplier can be sure that 
the integer (-3) is not congruent to the square of any integer modulo P and modulo Q. Sec- 
ond, the signer convinces the supplier that the integer 3 is a square modulo P and modulo 

20 Q by giving an integer R such that R 2 = 3 (mod N). Thus, the supplier makes sure that the 
integer (-1) is not congruent to the square of any integer both modulo P and modulo Q, 
and, consequently, makes sure that P-l and Q-l are not divisible by 4. In addition, having 
checked that P-l and Q-l are not divisible by 4, the supplier can make sure that P-l and 
Q-l are not divisible by an odd prime number L by verifying that the integer X is not con- 

25 gruent to the square of any integer modulo P and modulo Q, where X - L, if L = 1 (mod 4) 
and X = -L, if L = 3 (mod 4). The signer convinces the supplier of this fact by giving an 
integer R such that R 2 = -X (mod N). This is possible for approximately one half of odd 
numbers L. 

Below, a description of the method for making a blind digital RSA-signature by the 
30 second variant is presented. The description is intended to describe the method for making 
a blind digital RSA-signature by the second variant and should not be taken to limit the 
scope of the invention, which is described more fully elsewhere in the present specifica- 
tion. 

The signer chooses prime numbers of suitable size as the secret factors of the RSA- 
35 module N, and two secret factors are chosen in the best mode. The chosen RSA-module N 
is made public. Furthermore, one chooses arbitrary basic public RSA-exponents Ei, ...,Ek, 
which number depends on the problem to be solved. Such a choice can be performed by 
the supplier, by the signer, jointly by the supplier and the signer, or in a different way. In 
addition, arbitrary nonnegative integers are chosen as the limiting multiplicities Li, L k 
40 of the basic public RSA-exponents Ei, Ek, respectively. Such a choice can be per- 
formed by the supplier, by the signer, jointly by the supplier and the signer, or in a differ- 
ent way. As an admissible public RSA-exponent, one takes an arbitrary public RSA- 
exponent composed of chosen basic public RSA-exponents, taking the multiplicity of each 
of them in the limits of the chosen limiting multiplicity. In other words, the admissible 
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public RSA-exponents of the form E = Ei^-. ..-Ek^ are taken as admissible, where each of 
the multiplicities Ai,..., Ak, with which the basic public RSA-exponents Ei, E k , re- 
spectively, occur in E, is a nonnegative integer not exceeding the limiting multiplicities Li, 
L k , respectively. 

5 When making a blind digital RSA-signature on the initial data M, the supplier takes an 
integer of suitable size as the randomized blinding key R. The choice of the randomized 
blinding key R can be carried out by the random-number generator. 

The supplier develops blinded data M' by processing the chosen initial data with the 
help of the data F obtained as a result of RS A-encryption the blinding key R. The blinded 

10 data M' satisfy the relation M' = FM (mod N) and can be obtained by the modular multi- 
plier. The data F is obtained by RS A-encryption the blinding key R with the help of the en- 
cryption RSA-key which corresponds to the RSA-module N and to the RSA-exponent U 
composed of the chosen basic public RSA-exponents Ei, E k , each of which is taken 
with the chosen limiting multiplicity U, U, respectively. In other words, F = R u (mod 

15 N), where U = U r ...-U k , and Ui = Ei L1 , :, U k = Ek 1 *. In particular, when developing 
blinded data, the RSA-encryption can be carried out by a modular exponentiator. 

The blinded data M' are given to the signer, who develops the digital RSA-signature S' 
on the blinded data M 1 with the help of the secret RSA-key corresponding to the chosen se- 
cret factors and to an arbitrary admissible public RSA-exponent V. The choice of the em- 

20 ployed secret RSA-key is implemented by an arbitrary choice of the employed multiplici- 
ties Ki, Kk of the basic public RSA-exponents Ei, E k , respectively. Here, the em- 
ployed multiplicities Ki, Kj, are chosen in the limits of the chosen limiting multiplici- 
ties Li, L k , respectively. In other words, the multiplicities Ki, Kfc are nonnegative 
integers not exceeding the numbers Li, L k , respectively, and V = Ei K1 -...-E k . The 

25 digital RSA-signature S' on the blinded data M' can be developed, in particular, by a 
modular exponentiator. The developed digital RSA-signature S' on the blinded data M' 
satisfies the relation S' = (M') D (mod N), where D is the secret RSA-exponent correspond- 
ing to the public RSA-exponent E. In particular, the digital RSA-signature S' on the 
blinded data can be developed by a modular exponentiator. The developed digital RSA- 

30 signature S' on the blinded data M' is given to the supplier. 

The supplier develops an unblinding key T corresponding to the blinding key R and the 
secret RSA-key used for developing the digital RSA-signature on the blinded data, by 
RSA-encryption the blinding key with the help of the encryption RSA-key which module 
is the RSA-module, and which RSA-exponent corresponds to the basic public RSA- 

35 exponents, each of which is taken with multiplicity Li-Ki,..., L k -Kk, respectively. In other 
words, the unblinding key T satisfies the relation T = R v (mod N), where V = Vr- •■• V k , 
Vj = Ei L1 " K1 ,. V k = E k Lk ' Kk . In particular, when developing the unblinding key the RSA- 
encryption can be carried out by a modular exponentiator. The digital RSA-signature S' on 
the blinded data is unblinded by entering S', the unblinding key T, and the RSA-module N 

40 into the unblinding converter. At the output of the unblinding converter, one obtains data S 
satisfying the relation S = S' T" 1 (mod N), which is a digital RSA-signature on the initial 
data M. 

In particular, the RSA-encryption of the blinding key R when developing the blinded 
data can be implemented by successive RSA-encryptions with the help of encryption RSA- 
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keys, such that the module of each of them is equal to N, and as the RSA-exponent of the 
next encryption key one takes the next basic public RSA-exponent Ei with limiting multi- 
plicity U i e., the RSA-exponent Ui = Ei Li , where the subscript i takes successively the 
values from 1 to k. Furthermore, the unblinding key T can be developed by successive 
5 RS A-encryptions with the help of encryption RS A-keys, the RS A-module N is taken as the 
module of each of them, and as the RSA-exponent of the next encryption key one takes the 
next basic public RSA-exponent Ei with multiplicity Li-Ki, i.e., the RSA-exponent Vi = 
Ei Li ~ Ki , where the subscript i takes successively the values from 1 to k. 

An apparatus implementing the claimed method for making a digital RSA-signature. is 

10 suggested. Below, a description of the suggested apparatus is given, which is intended to 
describe the claimed apparatus and should not be taken to limit the scope of the invention, 
which is described more fully elsewhere in the present specification. 

In the description given below, by a divider a device with a dividend and divisor input is 
meant, such that if an integer X is fed to the dividend input, and a positive integer Y is fed 

15 to the divisor input, then at the output the incomplete quotient of X and Y is obtained, i.e., 
an integer Z such that 0 < X - YZ < Y. By the remainder calculator a device with an argu- 
ment input and a module input is meant, such that if an integer X is fed to the argument in- 
put and a positive integer Y is fed to the module input, then at the output the remainder of 
division of X by Y is obtained, i.e., an integer Z from the interval 0 to Y - 1 such that X - Z 

20 is divisible by Y without a remainder. Such dividers and remainder calculators are well 
known in the art. 

The description is illustrated by Fig.l, which depicts an apparatus for making a blind 
digital RSA-signature, comprising a blinding key choice unit 1, a blinding unit 2, a signa- 
ture unit 3, and an unblinding unit 4. The blinding key choice unit comprises a random- 

25 number generator 5 and an arithmetic controller 6, which has an inadmissible divisor input 
7, an obligatory divisor input 8, and a trial data input 9, the output of the random-number 
generator being connected to the trial data input 9 of the arithmetic controller, and the out- 
put of arithmetic controller 6 being connected to the output of the blinding key choice unit. 
Blinding unit 2 has an initial data input 10, a module input 1 1, and a blinding key input 12, 

30 and comprises a modular exponentiator not shown in Fig.l, the initial data input 10, the 
blinding key input 12 and the module input 1 1 of the blinding unit being connected to the 
base input, the exponent input, and the module input of the modular exponentiator, respec- 
tively. Signature unit 3 has a secret key input 13 and a signature data input 14, the signa- 
ture data input 14 of the signature unit 3 being connected to the output of the blinding unit 

35 2. The unblinding unit 4 has an unblinding data input 15, a module input 16, an exponent 
input 17, a blinding key input 18 and an initial data input 19 and comprises a modular 
multiplicative Euclidean converter (MMEC), which is not shown in Fig.l, the module in- 
put 16 being connected to the module input of the MMEC, the initial data input 19 being 
connected to one of the base inputs of the MMEC, and the unblinding data input 15 being 

40 connected to another base input of the MMEC, the blinding key input 18 being connected 
to the exponent input of the MMEC corresponding to the base input of the MMEC con- 
nected to the unblinding data input 15, and the exponent input 17 being connected to the 
exponent input of the MMEC corresponding to the base input of the MMEC connected to 
the initial data input 19, and the output of the MMEC being connected to the output of the 
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unblinding unit. 

By the arithmetic controller a device is meant ensuring predetermined arithmetical 
properties of the output data of the apparatus which work is controlled by the arithmetic 
controller. In particular, in the description given above the arithmetic controller ensures the 
5 coprimality of the output data of the blinding key choice unit with the integers fed to the 
first limiting input of the arithmetic controller, and the divisibility of the output data of the 
blinding key choice unit by the integer fed to the second limiting input of the arithmetic 
controller. 

With the help of the suggested apparatus, the supplier, with the participation of the 
0 signer, can make a blind digital RS A-signature on the initial data by the first variant of the 
claimed method. For this purpose, the supplier feeds the initial data M onto the initial data 
input, and the RSA-module N known from the communication of the signer onto the mod- 
ule input of the blinding unit. In addition, the supplier feeds the basic public RSA- 
exponents onto the first limiting input of the arithmetic controller, and the masking factor 
5 onto the second limiting input of the arithmetic controller. The blinding key R appears at 
the output of the blinding key choice unit and is fed to the blinding key input of the blind- 
ing unit at which output the blinded data M' appears. The signer feeds the employed secret 
RSA-key to the secret key input of the signature unit. The blinded data M' are fed to the 
signing data input of the signature unit, and the digital RS A-signature S' on the blinded 
20 data M' appears at the output of the signature unit and is fed to the unblinding data input of 
the unblinding unit. In addition, the supplier feeds the RSA-module N, the initial data M, 
and the public RSA-exponent E corresponding to the employed secret RSA-key, respec- 
tively, onto the module input, the initial data input, and the exponent input of the unblind- 
ing unit. In addition, the blinding key R is fed into the blinding key input of the unblinding 
25 unit from the output of the blinding key choice unit. The digital RS A-signature S on the 
initial data appears at the output of the unblinding unit. 

Brief description of the drawings 
In what follows the present invention is clarified by the description of specific examples 
of its implementation and by accompanying drawings, where: 
30 Fig. 1 shows an apparatus for making a blind digital RS A-signature; 
Fig. 2 shows an arithmetic controller; 

Fig.3 shows a modular multiplicative Euclidean converter (MMEC). 

Best embodiment of the invention 
In the best embodiment of the method for making a blind digital RS A-signature by the 
3 5 first variant, the blinding level W is set, which depends on the problem to be solved. By the 
predetermined blinding level, a bound U is set sufficient for ensuring the predetermined 
blinding level. The bound U can be determined with the help of the formulas that relate U 
with the blinding level and are given in the description of the invention. Furthermore, sev- 
eral odd integers are chosen as basic public RSA-exponents which number depends on the 
40 problem to be solved, and an arbitrary public RSA-exponent is chosen as the admissible 
public RSA-exponent, which divisors are divisors of the chosen basic public RSA- 
exponents. The signer takes two prime numbers P and Q of suitable size as the secret fac- 
tors, such that each of the integers P-l and Q-l has no divisors greater than 2 and less than 
the predetermined bound U, and is coprime to each of the chosen basic public RSA- 


exponent. The choice of such prime numbers can be performed, for example, by testing the 
trial prime numbers, which are obtained in one of the known ways with the help of ran- 
dom-number generators. The RSA-module N is obtained by multiplication of the chosen 
secret factors. The chosen RSA-module N, the chosen basic admissible exponents, and 
5 chosen the bound U are made public. The greatest of those divisors of the RSA-module 
decremented by 1 that are coprime to the chosen admissible public RSA-exponents is cho- 
sen as the masking factor G. 

The supplier chooses the randomized blinding key R as the product of the masking fac- 
tor and of an integer of suitable size obtained at the output of a cryptographic random- 

10 number generator with uniform distribution (A. J. Menezes, P. C. Van Oorshot, S. A. 
Vanstone, Handbook of Applied Cryptography, CRC Press, 1997, p. 185). 

The supplier blinds the initial data M and develops on their base the blinded data M' 
with the help of the RSA-encryption of the initial data by the encryption RSA-key with the 
module N and exponent R The developed blinded data M* is given to the signer. The 

15 signer performs the choice of the kind of signature, i.e., the choice of the admissible public 
RSA-exponent E, corresponding to the secret key used for making a signature on the 
blinded data and develops the digital RS A-signature S' on the blinded data M' with the help 
of the secret RSA-key corresponding to the chosen public RSA-exponent E. The developed 
digital RSA-signature S* on the blinded data M' is given to the supplier together with the 

20 information on the chosen admissible public RSA-exponent E, after which the supplier 
completes making the digital RSA-signature S on the initial data M by unblinding the 
RSA-signature S' with the help of the unblinding converter. 

The signature property of the digital RSA-signature on the initial data M can be con- 
firmed for the data S obtained at the output of the unblinding converter either after their 

25 unblinding by a direct verification, or before their unblinding by verifying the fact that S' 
meets a digital RSA-signature property related to the blinded data M. 

In addition, to verify that the predetermined blinding level is ensured, the supplier can 
check, by one of the ways described in the description of the invention, whether the pub- 
lished RSA-module is composed of exactly two secret factors, and each of the secret fac- 

30 tors is not congruent to the unity modulo the divisors greater than 2 and less than the pub- 
lished bound U. 

The possibility of realization of the above-described best embodiment of the method for 
making a blind digital RSA-signature by the first variant is clarified by the following ex- 
ample. 
35 Example 1 

Suppose that secret factors having size of 5 12 bits are used, and the blinding level W=l- 
4-10" 7 is assumed to be sufficient. With the help of the formulas presented in the descrip- 
tion of the invention, the bound U-10" 8 is set sufficient for ensuring the predetermined 
blinding level. The integers Ei=3, E 2 =5, E3=7 are chosen as basic public RSA-exponents. 
40 The signer takes as the secret factors two prime numbers P and Q having size of 512 bits 
and the RSA-module N = PQ, which is obtained from P and Q with the help of the multi- 
plier. Here, the secret factors are chosen to be such that each one of the integers P-l and 
Q-l has no divisors greater than 2 and less than the predetermined bound U, and each one 
of the integers P-l, Q-l, and N-l is coprime to each basic public RSA-exponent. Such se- 
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cret factors are chosen by testing the mentioned properties of the trial secret factors, which 
are prime numbers having size of 512 bits and obtained with the help of the cryptographic 
random-number generator. The choice of such prime numbers and their testing is per- 
formed in one of the known ways (A. J. Menezes, P. C. Van Oorshot, S. A. Vanstone, 
5 Handbook of Applied Cryptography, CRC Press, 1997, p. 145). The chosen RSA-module 
N and the basic admissible exponents are made public. 

For choosing the masking factor, a subtracter is used, to the minuend input of which the 
RSA-module N is fed and to the subtrahend input of which the integer 1 is fed. At the sub- 
tractor output the integer N - 1 is obtained, which is taken as the trial masking factor. The 

10 trial masking factor is processed by each of the basic public RSA-exponents. The process- 
ing of the trial masking factor by each current basic public RSA-exponent Ei is performed 
in several steps, each of which proceeds as follows. In the case where the trial masking 
factor is coprime to E i; which fact is detected by a coprimality tester, one assumes that the 
processing of the trial masking factor by the current basic public RSA-exponent Ei is fin- 

15 ished, and proceeds to processing the trial masking factor by the next basic public RSA- 
exponent. In the case where the trial masking factor is not coprime to E i? the trial masking 
factor is fed to the dividend input, and Ei is fed to the divisor input of the divider which 
output data are taken as the new trial masking factor. After this, to the next step of proc- 
essing the trial masking factor by the basic public RSA-exponent Ei is performed. The trial 

20 masking factor processed by each of the basic public RSA-exponents is taken as the trial 
masking factor G. 

The supplier obtains the randomized blinding key R at the output of the multiplier to 
which inputs the masking factor G and an integer of suitable size are fed, which integer is 
coprime to each basic public RSA-exponent. Such an integer is obtained by checking 

25 whether the trial integers obtained at the output of the cryptographic random-number gen- 
erator with uniform distribution are coprime to each of the basic public RSA-exponents. 
The supplier chooses an arbitrary integer representing the data to be signed as the initial 
data M. Initial data M are fed to the base input of the modular exponentiator, the blinding 
key R is fed to the exponent input of the modular exponentiator, and the RSA-module N is 

30 fed to the module input of the modular exponentiator. At the output of the modular expo- 
nentiator the blinded data M' are obtained, which are delivered to the signer via telecom- 
munication nets. 

The signer takes, as the secret key, the pair consisting of the RSA-module N and a se- 
cret RSA-exponent D, and the choice of the secret RSA-exponent is carried out by choos- 

35 ing arbitrary nonnegative integers Ki, K 2? and K 3 as the multiplicities of basic public RSA- 
exponents Ei, E2, and E 3 , respectively. The secret RSA-exponent D is obtained with the 
help of the modular exponentiator and the modular multiplier, and the obtained secret 
RSA-exponent satisfies the relation D s Di K1 D 2 K2 D 3 K3 (mod (P-1>(Q-1)). Here, Di is 
obtained at the output of the modular inverter to which module input the integer (P-l)-(Q- 

40 1) is fed, and to which argument input the basic public RSA-exponent Ei is fed. Now, D 2 is 
obtained from E 2 , and D 3 is obtained from E 3 in a similar way. The blinded data M' is fed 
onto the base input of the modular exponentiator, the secret RSA-exponent D is fed onto 
the exponent input of the modular exponentiator, and the RSA-module N is fed onto the 
module input of the modular exponentiator. The data S' obtained at the output of the 
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modular exponentiate* is given to the supplier as a digital RSA-signature on blinded data 
together with the chosen multiplicities Ki, K 2 and K 3 . 

Using the modular exponentiators and the modular multiplier, the supplier obtains a 
public RSA-exponent E satisfying the relation E = Ei K1 -E 2 K2 -E 3 K3 (mod (P-l)-(Q-l))- 

5 When unblinding, the digital RSA-signature S l on the blinded data M' is fed to the first 
base input of an MMEC, the initial data M is fed to the second base input of the MMEC, 
the blinding key R is fed to the first exponent input of the MMEC, public RSA-exponent E 
is fed to the second exponent input of the MMEC, and the RSA-module N is fed to the 
module input of the MMEC. At the output of the MMEC a data S are obtained, which is 

1 0 the digital RSA-signature on the initial data M. 

To confirm the signature property of the digital RSA-signature on the initial data M the 
supplier feeds the data S obtained at the output of the unblinding converter, onto the base 
input of the modular exponentiator, the public RSA-exponent E onto the exponent input of 
the modular exponentiator, and the RSA-module N onto the module input of the modular 

15 exponentiator. The output data of the modular exponentiator are fed to an input of the 
comparator onto another input of which the initial data M are fed. If one obtains the Boo- 
lean value "TRUE" at the output of the comparator, then the data S obtained at the output 
of the unblinding converter, are taken for a digital RSA-signature on the initial data M. 
In the best embodiment of the method for making a blind digital RSA-signature by the 

20 second variant, the signer takes several odd pairwise coprime integers Ei,..., E k which 
number depends on the problem to be solved as basic public RSA-exponents, and two 
prime numbers P and Q of suitable size such that each of the two integers P-l and Q-l is 
coprime to each of the chosen basic public RSA-exponents, as the secret factors. The 
choice of such prime numbers can be performed, for example, by testing the trial prime 

25 numbers, which are obtained in one of the known ways with the help of the random- 
number generators. The RSA-module N is obtained by multiplying the chosen secret fac- 
tors. The basic admissible exponents chosen are made public. The limiting multiplicities 
Li,..., U of the basic public RSA-exponents Ei,..., E k , respectively, are chosen by the 
supplier in accordance with the problem to be solved. The supplier chooses the randomized 

30 blinding key R with the help of the cryptographic random-number generator with a uni- 
form distribution. 

The following example clarifies the possibility of realization of the above-described 
best embodiment of the method for making a blind digital RSA-signature by the second 
variant. 
35 Example 2 

The signer chooses integers Ei=3, E2=5, E 3 =7 as the basic public RSA-exponents. The 
signer takes two prime numbers P and Q having size of 512 bits and the RSA-module N = 
P*Q, which is obtained from P and Q with the help of a multiplier, as the secret factors. 
Furthermore, the secret factors are chosen to be such that each of the integers P-l, Q-l, 
40 and N-l is coprime to each basic public RSA-exponent. Such secret factors are chosen by 
testing the mentioned properties of trial secret factors, which are prime numbers having 
size of 512 bits and obtained with the help of the cryptographic random-number generator. 
The choice of such prime numbers and their testing are performed in one of the known 
ways (A. J. Menezes, P. C. Van Oorshot, S. A. Vanstone, Handbook of Applied Cryptog- 
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raphy, CRC Press, 1997, p. 145). The chosen RSA-module N and the chosen basic admis- 
sible exponents are made public. 

As the initial data M, the supplier takes an arbitrary integer representing the data to be 
signed. As the limiting multiplicities Li, L 2 , L 3 of the basic public RSA-exponents Ei, E2, 
5 E 3 , respectively, the supplier chooses arbitrary nonnegative integers depending on the 
problem to be solved; in this example, we have Li = 100, L 2 = 50, L 3 = 10. As the ran- 
domized blinding key R, the supplier takes an integer having size of 1024 bits and appear- 
ing at the output of the cryptographic random-number generator with a uniform distribu- 
tion. 

1 0 The supplier obtains from the blinding key R a chain of data F 0? Fi, . . . , F L , where L = Li 
+ L 2 + L 3 . Here, the blinding key R is taken as the data F0, and the next data Fj is obtained 
at the output of the modular exponentiator to which module input the RSA-module N is 
fed, to which base input the preceding element of the chain is fed, and to which exponent 
input the RSA-exponent E x is fed U times, the RSA-exponent E2 is fed L 2 times, and the 

15 RSA-exponent E 3 is fed L 3 times. The obtained data F L is fed to the argument input of the 
modular multiplier, onto which another input the initial data M are fed, and onto which 
module input the RSA-module N is fed. At the output of the modular multiplier the blinded 
data M* are obtained, which are delivered to the signer via telecommunication nets, to- 
gether with the information on the chosen limiting multiplicities Li, Li, L 3 . 

20 The signer takes the employed multiplicities Ki, K 2 , K 3 of the basic public RSA- 
exponents Ei, E 2 , E 3 , respectively. Here, the used multiplicities K h K 2 , K 3 are chosen in 
the limits of the chosen limiting multiplicities Li, U, L 3? respectively. In this example, one 
takes Ki = 90, K 2 = 40, K 3 = 1. The secret RSA-key and the digital RSA-signature S' on 
the blinded data M' are created in the same way as in the Example 1 . 

25 The supplier obtains from the blinding key R a chain of data T 0 , Ti,. . ., Ti, where I = Li- 
Ki + L 2 -K 2 + L 3 -K 3 . Here, the blinding key R is taken as the data T 0 , and the next data Tj is 
obtained at the output of the modular exponentiator to which module input the RSA- 
module N is fed, to which base input the preceding element of the chain is fed, and to 
which exponent input one feeds the RSA-exponent E x is fed (L r Ki) times, the RSA- 

30 exponent E 2 is fed (L2-K2) times, and the RSA-exponent E 3 is fed (L 3 -K 3 ) times. The ob- 
tained data Ti are taken as the unblinding key T. A modular divider is used as the unwind- 
ing converter. When unblinding, the digital RSA-signature S' on blinded data, the un- 
blinding key T, and the RSA-module N are fed to the dividend input, the divisor input, and 
the module input of the modular divider, respectively. At the output of the unblinding con- 

35 verter, a digital RSA-signature on the initial data M is obtained. 

In the best embodiment of the apparatus for making a blind digital RSA-signature, a 
cryptographic random-number generator with a uniform distribution is used as the random- 
number generator. The possibility of implementing the apparatus for making a blind digital 
RSA-signature is clarified by the following concrete example, which is illustrated by Fig.l 

40 described in the description of the claimed apparatus. 
Example 3 

Though in real digital RSA-signature systems the secret factors are used consisting of 
many dozens of digits, for the sake of simplicity in this example the secret factors consist 
of a small number of digits. Suppose that the signer has chosen the secret factors P = 419 
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and Q = 863, the RSA-module N = 361597, and the public RSA-exponent E = 3, and after 
that the signer has communicated N and E to all interested parties. Suppose that the sup- 
plier wishes to obtain a blind digital RSA-signature of the initial data M = 123456. For this 
purpose, the supplier feeds the initial data M to the initial data input 10, and the RSA- 
5 module N to the module input 1 1 of the blinding unit 2. In addition, the supplier feeds the 
public RSA-exponent E to the first limiting input 7 of the arithmetic controller 6, and the 
RSA-module N decremented by 1, i.e., the integer 123455, to the second limiting input 8 
of the arithmetic controller 6. Suppose that the integer R = 901 appears at the output of the 
blinding key choice unit 1. The integer R is fed to the blinding key input 12 of the blinding 

10 unit 2 at whose output the data M = 237367 appears. The signer feeds the secret key (N, 
D) corresponding to the public RSA-exponent, i.e., D = 24021 1, onto the secret key input 
13 of the signature unit 3. The integer M' is fed onto the signing data input 14 of the sig- 
nature unit 3, and the integer T = 88275 appears at the output of the signature unit 3 and is 
fed to the unblinding data input 15 of the unblinding unit 4. Furthermore, the supplier feeds 

15 the RSA-module N, the initial data M, and the public RSA-exponent E, respectively, onto 
the module input 16, the initial data input 19, and the exponent input 17 of the unblinding 
unit 4. In addition, the integer R is fed to the blinding key input 18 of the unblinding unit 4. 
At the output of the unblinding unit the data T = 150340 are obtained, which is a digital 
RSA-signature on the initial data M. 

20 The possibility of implementing the blinding key choice unit of the apparatus for mak- 
ing a blind digital RSA-signature and the arithmetic controller related to it is clarified by 
the following example. 
Example 4 

The example is illustrated by Fig.l and Fig.2. Fig.2 shows arithmetic controller 6, 
25 which has an inadmissible divisor input 7, an obligatory divisor input 8, a trial data input 9, 
comprises a multiplier 20 and a coprimality tester 21. Here, the inadmissible divisor input 
7 is connected to an input 22 of the coprimality tester, the trial data input 9 is connected to 
an input 23 of the coprimality tester and to an argument input 24 of the multiplier 20, an 
output of the coprimality tester 21 is connected to a load input 25 of the multiplier 20, the 
30 obligatory divisor input 8 of the arithmetic controller 6 is connected to an argument input 
26 of the multiplier 20 which output is connected to the output of the arithmetic controller 
6. 

A specific example of functioning of the blinding key choice unit 1 of the above- 
described apparatus for making a blind digital RSA-signature is as follows. Suppose that 

35 the integer 1234 appears at the output of the random-number generator 5 and is fed to the 
trial data input 9 of the arithmetic controller 6. Suppose that the integer 7 is fed to the first 
limiting input 7 and the integer 5 is fed to the second limiting input 8. Integers 1234 and 7 
are fed, respectively, onto inputs 23 and 22 of the coprimality tester 21 at which output the 
Boolean value 1 ("TRUE") appears. This value is fed to the load input 25 of the multiplier 

40 20, and after that the multiplier 20 takes the data 1234 and 5, given to its argument inputs 
24 and 26, respectively. The integer 1234*5= 6170 appears at the output of the multiplier 
20 and also appears at the output of the arithmetic controller 6 and at the output of the 
blinding key choice unit 1 . 

To confirm the readability, the applicant gives an example of a concrete realization of 
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a MMEC and of its functioning in the example given below. 
Example 5 

The example is illustrated by Fig.3. Fig.3 shows the MMEC 27, which has a base input 
28 and the corresponding exponent input 29, a base input 30 and the corresponding expo- 
5 nent input 31, a module input 32, and an output. The MMEC comprises registers 33-40, a 
multiplier 41, a modular exponentiator 42, a subtractor 43, a modular divider 44, a divider 
45, a comparator 46, and a NOT-gate 47. Here, the base input 28 is connected to the data 
input of the register 35, the second base input 30 is connected to the data input of the reg- 
ister 36, the exponent input 29 is connected to the data input of the register 33, the expo- 

10 nent input 3 1 is connected to the data input of the register 34, and the module input 32 is 
connected to the module inputs of the modular divider 44 and the modular exponentiator 
42. In addition, the MMEC 27 comprises an output register, which is not shown in Fig.3 
and which output is connected to the output of the MMEC 27, and which data input is con- 
nected to the output of the register 39. The output of the register 33 is connected to the 

15 dividend input 48 of the divider 45 and with the minuend input 49 of the subtractor 43. The 
output of the register 34 is connected to the divisor input 50 of the divider 45, with an input 
5 1 of the multiplier 41, and with the data input of the register 37, The output of the register 
35 is connected to the dividend input 52 of the modular divider 44. The output of the reg- 
ister 36 is connected to the input 53 of the modular exponentiator 42 and to the data input 

20 of the register 39. The output of the divider 45 is connected to the input 54 of the multiplier 
41 and to the exponent input 55 of the modular exponentiator 42. The input of the multi- 
plier 41 is connected to the subtrahend input 56 of the subtractor 43, and the output of 
modular the exponentiator 42 is connected to a divisor input 57 of the modular divider 44. 
The output of the subtractor 43 is connected to the data input of the register 38, and the 

25 output of the modular divider 44 is connected to the data input of the register 40. The out- 
put of the register 37 is connected to the data input of the register 33, the output of the reg- 
ister 38 is connected to the data input of the register 34, the output of the register 39 is 
connected to the data input of the register 35, but these connections are not shown. The 
output of the register 38 is connected to an input 58 of the comparator 46, and the output of 

30 the comparator 46 is connected to the load input of the output register and with the input of 
NOT-gate 47 which output is connected to the load inputs of registers 33-36, but these 
connections are not shown. Furthermore, the MMEC 27 comprises the circuit for initial 
loading the registers 33-36, the circuit for feeding zero to an input 59 of the comparator 46 
and the synchronization circuit ensuring stepwise mode of operation of the MMEC, but 

35 these schemes are not shown in Fig.3 . 

A specific example of functioning of the MMEC 27 is as follows. The data X=l 1 is fed 
to the base input 28, the data Y = 17 is fed to the base input 30, the data A = 7 is fed to the 
exponent input 29, the data B = 5 is fed to the exponent input 31, and N = 37 is fed to the 
module input 32. After that, the initial loading circuit loads the values Ri = A = 7 from the 

40 input 29, R 2 = B = 5 from input the 31, XJ X = X = 1 1, and U 2 = Y = 17 to registers 33-36, 
respectively. The functioning of the MMEC proceeds step-by-step, which is ensured by 
the synchronization circuit. 

At the first step, the MMEC 27 operates as follows. The data Ri = 7 from the register 
33 and R 2 = 5 from the register 34 are fed to the dividend input 48 and divisor input 50 of 
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the divider 45, respectively, and the incomplete quotient Q = 1 of Ri = 7 and R 2 = 5 ap- 
pears at the output of the divider 45. The data Q = 1 appears at the input 54 of the multi- 
plier 41 and at the exponent input 55 of the modular exponentiator 42. The data R 2 = 5 is 
fed to the input 51 of the multiplier 41 from the register 34, and at the output of the multi- 
5 plier 41 the data QR 2 = 5 are obtained which are fed to the subtrahend input 56 of the 
subtractor 43. The data Rl = 7 are fed to the minuend input 49 of the subtracter 43 from 
the register 33, and at the output of the subtractor 43 the data Ri - Q R 2 = 2 are obtained 
which are fed to the register 38. The data R 2 = 5 are fed to the register 37 from the register 
34. The data U 2 = 17 from the register 36 are fed to the base input 53 of the modular expo- 

10 nentiator 42, the data N = 37 from the module input 32 is fed to the module input of the 
modular exponentiator 42, and at the output of the modular exponentiator 42 the data S = 
U 2 Q (mod N) = 17 are obtained, that are fed to the divisor input 57 of the modular divider 
44. The data Ui = 1 1 from the register 35 is fed to the dividend input 52 of the modular di- 
vider 44, and at the output of the modular divider 44 the data Ul-S" 1 (mod N) = 5 are ob- 

15 tained which are fed to the register 40. The register 36 feeds the data U 2 = 17 to the regis- 
ter 39. The register 38 feeds the data W = 2 to the input 58 of the comparator 46, the zero 
feed circuit feeds zero to the input 59 of the comparator 46, and the Boolean value 0 
("FALSE") appears at the output of the comparator 46 and is fed to the load inputs of the 
registers of the first and second outputs (thus, no data are fed to the data inputs of the reg- 

20 isters) and to the NOT-gate 47. The Boolean value 1 ("TRUE") appears at the output of the 
NOT-gate 47 and is fed to the load inputs of registers 33-36, after which these registers 
take the values Ri = 5, R 2 = 2, Ui = 17, U 2 = 5, respectively, form registers 35-38. This 
finishes the first step and initiates the second step. 

After the second step, registers 33-36 contain the values Ri = 2, R 2 = 1, Ui = 5, U 2 = 14, 

25 after which the third step starts. In the course of the third step, registers 35-38 obtain the 
values 1, 0, 14, 17, respectively. After that, the Boolean value 1 ("TRUE") appears at the 
output of the comparator 46 and is fed to the load input of the output register, after which 
the register obtains the data Z = 14 from the register 39, and this data appears at the output 
oftheMMEC 27. 

3 0 Variants of implementing the invention 

The applicant points out the variant of the method for making a blind digital RSA- 
signature by the first variant, in which the integer 2 is taken as the masking factor G, which 
leads to an acceleration of blinding and unblinding. In this variant, the signer takes, as the 
secret factors, two prime numbers P and Q, such that each of the integers P-l and Q-l has 

35 no divisors greater than 2 and less than U, and is coprime to each of the basic public RSA- 
exponents, and, furthermore, the numbers P-l and Q-l have no common divisors greater 
than 2. The choice of such prime numbers can be performed by additionally checking for 
trial prime numbers, whether the greatest common divisor of the numbers P-l and Q-l is 
equal to 2. The randomized blinding key R is chosen by putting the unity to the lowest bit 

40 of an integer of a suitable size obtained at the output of the cryptographic random-number 
generator with a uniform distribution. In this case, to verify that the predetermined blinding 
level is ensured, the supplier can check with the help of the method "cut and choose" de- 
scribed in the description of the invention that none of the secret factors is congruent to the 
unity modulo the divisors greater than 2 and less than the published bound U, and that the 


20 

secret factors decremented by 1 have no common divisors greater than 2. 

As other particular cases of realization of the method for making a blind digital RSA- 
signature by the first variant, the applicant points out the possibility of choosing such se- 
cret factors and masking factor that the masking factor is not either a multiple of the great- 
5 est common divisor of the secret factors decremented by 1, or a multiple of all divisors of 
each of the secret factors decremented by 1 that are less than a predetermined bound. For 
example, the integer 1 can be taken as the masking factor. Though such a choice does not 
allow one to ensure an arbitrary proximity of the blinding level to the unity, nevertheless, 
in certain practical situations the untraceability achieved by such a choice, can be accepted 
10 as sufficient. 

In a particular case of realization, the supplier can choose, as the initial data, the digital 
RSA-signature on some earlier initial data, which is already in hand, and thus obtain a 
digital RSA-signature on earlier initial data, which corresponds to the product of the public 
RSA-exponents. 

15 In addition, after making a digital RSA-signature on the initial data, corresponding to 
the public RS A-exponent E, the supplier can make, without the signer help, a digital RSA- 
signature on the initial data corresponding to an arbitrary public RSA-exponent being the 
divisor E. 

As particular cases of realization of the method for making a digital signature by each of 
20 the variants, the applicant points out the possibility of encryption, decryption, encoding, 
and decoding the data during their transmission from the supplier to the signer and back, 
which does not change the essence of the claimed invention. In particular, the kind of sig- 
nature can depend on the time of making the signature on the blinded data by the signer, 
and may also reflect the degree of the confidence of the signer in the supplier. Further- 
25 more, during the transmission from the supplier to the signer, the blinded data may be 
subjected to an additional blinding transformation, and during the transmission from the 
signer to the supplier the digital RSA-signature on the blinded data can be subjected to the 
corresponding unblinding transformation. 

In the realization of the method for making a digital signature by any of the variants, the 
30 digital RSA-signature property of the made digital RSA-signature on the initial data can be 
verified either after unblinding the digital RSA-signature on the blinded data by a direct 
verification, or before unblinding by verifying the fact that the obtained digital RSA- 
signature on the blinded data meets a digital RSA-signature property related to the blinded 
data. 

35 The applicant points out that in particular cases of realization of the apparatus for mak- 
ing a blind digital RSA-signature, connections between different units can be implemented 
via telecommunication nets, and the units themselves may be distant from each other. As 
other particular cases of the apparatus, the applicant points out the possibility of its reali- 
zation in the form of various other subdivisions of auxiliary devices contained in it into 

40 blocks which do not change the essence of the claimed invention. The connection between 
the blocks can also be implemented by way of passing these connections through addi- 
tional devices. Among such additional devices, there may be, in particular, encryption and 
decryption devices, as well as encoding and decoding devices. Furthermore, the claimed 
apparatus can be complemented by other known apparatuses, in particular, by apparatuses 
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for verification of the RS A-signature. 

Industrial applicability 

The invention can be used in electronic queuing systems, including digital signature, 
especially those where the protection of the users' privacy is wished under the high diver- 
sity of kinds of the signature. In particular, the invention can be used in telecommunication 
systems, cryptographic systems, payment systems, in bank operations, in timestamping 
systems, in lotteries, in net computer games, in systems of value cards and valuable docu- 
ments, and in many other areas. 
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Claims 

L A method for making a blind digital RSA-signature, comprising steps of: choosing se- 
cret factors and an RSA-module corresponding to them, choosing at least one admissible 
public RSA-exponent, choosing initial data, choosing a randomized blinding key, choosing 
5 an encryption RSA-key whose module corresponds to the chosen RSA-module and whose 
exponent corresponds to the chosen blinding key with which key an RSA-encryption is 
performed while creating blinded data, arbitrarily choosing a secret RSA-key correspond- 
ing to the chosen secret factors and an arbitrary admissible public RSA-exponent, and cre- 
ating a digital RSA-signature on the blinded data corresponding to said secret RSA-key, 

10 unblinding the created digital RSA-signature on the blinded data by inputting the digital 
RSA-signature on the blinded data, the blinding key, the RSA module, and the public 
RSA-exponent corresponding to the secret RSA-key used in creating the digital RSA- 
signature on the blinded data, into an unblinding converter whose output data are obtained 
as the digital RSA-signature on the chosen initial data, characterized in that during the step 

15 of creating the blinded data an RSA-encryption of the chosen initial data is performed, 
during the step of unblinding the created digital RSA-signature on the blinded data the 
chosen initial data are input additionally into the unblinding converter, a masking factor 
coprime to each admissible public RSA-exponent is additionally chosen, and the blinding 
key is chosen coprime to each admissible public RSA-exponent and as a multiple to the 

20 chosen masking factor. 

2. The method for making a blind digital RSA-signature according to Claim 1, charac- 
terized in that during the step of unblinding the created digital RSA-signature on the 
blinded data the chosen initial data preliminarily input into the unblinding converter are fed 
to one of base inputs of a modular multiplicative Euclidean converter (MMEC) contained 

25 in said unblinding converter, the created digital RSA-signature on the blinded data pre- 
liminarily input into the unblinding converter is fed to another base input of said unblind- 
ing converter, the chosen blinding key is fed to an exponent input of the MMEC corre- 
sponding to that base input on which said chosen initial data are fed, and the public RSA- 
exponent, which is preliminarily input into said unblinding converter and corresponds to 

30 the secret key utilized during creating the digital RSA-signature on the blinded data, is fed 
to an exponent input of the MMEC corresponding to that base input on which the created 
digital RSA-signature on the blinded data is fed. 

3. The method for making a blind digital RSA-signature according to Claim 1, charac- 
terized m that the randomized blinding key is chosen by a random-number generator. 

35 4. The method for making a blind digital RSA-signature according to Claim 3, charac- 
terized in that the step of choosing the randomized blinding key coprime to the chosen ad- 
missible public RSA-exponents is performed by correcting output data of the random- 
number generator with the chosen admissible public RSA-exponents. 

5. The method for making a blind digital RSA-signature according to Claim 3, charac- 
40 terized in that the step of choosing the randomized blinding key is performed by testing 

whether the output data of the random-number generator are coprime to the chosen admis- 
sible public RSA-exponents. 

6. The method for making a blind digital RSA-signature according to Claim 1, charac- 
terized in that the masking factor is chosen multiple to the greatest common divisor of the 


secret factors decremented by 1, and also to each divisor which is less than the predeter- 
mined bound and modulo which at least one of the secret factors is congruent to L 

7. The method for making a blind digital RSA-signature according to Claim 6, charac- 
terized in that the step of choosing the masking factor multiple to the greatest common di- 

5 visor of the secret factors decremented by 1 is performed by choosing an RSA-module cor- 
responding to two secret factors, and by choosing the masking factor multiple to the great- 
est one of those divisors of the RSA-module decremented by 1 that are coprime to the cho- 
sen admissible public RSA-exponents. 

8. The method for making a blind digital RSA-signature according to Claim 7, charac- 
10 terized in that the step of choosing the masking factor multiple to the greatest one of those 

divisors of the RSA-module decremented by 1 that are coprime to the chosen admissible 
public RSA-exponents, is performed by choosing admissible public RSA-exponents co- 
prime to said RSA-module decremented by 1, and by choosing said RSA-module decre- 
mented by 1 as the masking factor. 

15 9. The method for making a blind digital RSA-signature according to Claim 6, charac- 
terized in that the step of choosing the masking factor multiple to each divisor which is less 
than the predetermined bound and modulo which at least one of the secret factors is con- 
gruent to 1, is performed by additionally testing the secret factors to be congruent to 1 
modulo all those divisors which are greater than two and less than the predetermined 

20 bound. 

10. The method for making a blind digital RSA-signature according to Claim 6, charac- 
terized in that the step of choosing the masking factor multiple to the greatest common di- 
visor of the secret factors decremented by 1 is performed by additionally pairwise testing 
the secret factors, during the step of choosing them, for a simultaneous congruence to 1 

25 modulo all those divisors that are greater than two, and by choosing the masking factor 
even, wherein in the step of choosing the secret factors a simultaneous pairwise non- 
congruence to 1 modulo all those divisors greater than two is accepted as a criterion of the 
step of choosing the secret factors. 

11. The method for making a blind digital RSA-signature according to Claim 10, charac- 
30 terized in that the step of additionally pairwise testing the secret factors for a simultaneous 

congruence to 1 modulo all those divisors greater than two, is performed by comparing the 
value of the greatest common divisor of the secret factors decremented by 1 with an integer 
equal to two. 

12. The method for making a blind digital RSA-signature according to Claim 1, charac- 
35 terized in that in the step of creating the blinded data the RSA-encryption of the chosen 

initial data is performed by means of a modular exponentiator. 

13. The method for making a blind digital RSA-signature according to Claim 1, charac- 
terized in that an integer equal to two is chosen as the masking factor, during the step of 
choosing the secret factors they are additionally tested for a congruence to 1 modulo all 

40 those divisors greater than two and less than the predetermined bound and, pairwise, for a 
simultaneous congruence to 1 modulo all those divisors greater than two, wherein a non- 
congruence to 1 modulo all those divisors greater than two and less than the predetermined 
bound and a simultaneous pairwise non-congruence to 1 modulo all those divisors greater 
than two is accepted as a criterion of the step of choosing the secret factors. 
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14. The method for making a blind digital RSA-signature according to Claim 13, charac- 
terized in that in the step of choosing the secret factors, the step of additionally pairwise 
testing the secret factors for the simultaneous congruence to 1 modulo all those divisors 
greater than two is performed by comparing the value of the greatest common divisor of 

5 the secret factors decremented by 1 with an integer equal to two. 

15. The method for making a blind digital RSA-signature according to Claim 1, charac- 
terized m that the RSA-signature on the blinded data is created by means of a modular ex- 
ponentiator. 

16. The method for making a blind digital RSA-signature according to Claim 1, charac- 
10 terized in that the RSA-module is chosen corresponding to two secret factors, the admissi- 
ble public RSA-exponents are chosen coprime to the RSA-module decremented by 1, in 
the step of choosing the secret factors said secret factors are testing for a congruence to 1 
modulo all those divisors greater than two and less than the predetermined bound, wherein 
a non-congruence to 1 modulo all those divisors greater than two and less than the prede- 

15 termined bound is accepted as a criterion of the step of choosing the secret factors, and the 
masking factor is chosen multiple to the RSA-module decremented by 1 . 

17. The method for making a blind digital RSA-signature according to Claim 16, charac- 
terized in that the RSA-module decremented by 1 is chosen as the masking factor. 

18. The method for making a blind digital RSA-signature according to Claim 6, or the 
20 Claim 13, or the Claim 16 ? characterized in that the predetermined bound is chosen ac- 
cording to the predetermined blinding level. 

19. The method for making a blind digital RSA-signature according to Claim 1, charac- 
terized in that in the step of choosing the admissible public RSA-exponents an arbitrary 
public RSA-exponent whose only divisors are divisors of arbitrarily chosen basic public 

25 RSA-exponents is accepted as the admissible public RSA-exponent. 

20. The method for making a blind digital RSA-signature according to Claim 19, charac- 
terized in that the step of choosing the blinding key coprime to each admissible public 
RSA-exponent is performed by testing whether said blinding key is coprime to each basic 
public RSA-exponent. 

30 21. The method for making a blind digital RSA-signature according to Claim 19, charac- 
terized in that the step of choosing the blinding key coprime to each admissible public 
RSA-exponent is performed by correcting the output data of the random-number generator 
by the chosen basic public RSA-exponents. 
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22. A method for making a blind digital RSA-signature, comprising steps of: choosing se- 
cret factors and an RSA-module corresponding to them, choosing at least one admissible 
public RSA-exponent, choosing initial data, choosing a randomized blinding key, choosing 
an encryption RSA-key whose module corresponds to the chosen RSA-module and with 

5 which the RSA-encryption is performed while creating the blinded data, the chosen initial 
data being processed with a result of the RSA-encryption while creating the blinded data, 
arbitrarily choosing a secret RSA-key corresponding to the chosen secret factors and an ar- 
bitrary admissible public RSA-exponent, and creating a digital RSA-signature on the 
blinded data, corresponding to said secret RSA-key, creating an unblinding key corre- 

10 sponding to the blinding key and the secret RSA-key utilized while creating the digital 
RSA-signature on the blinded data, unblinding the created digital RSA-signature on the 
blinded data by inputting the digital RSA-signature on the blinded data, which step of un- 
blinding is performed by inputting said digital RSA-signature, the unblinding key and the 
RSA-module into an unblinding converter whose output data are received as the digital 

15 RSA-signature on the chosen initial data, characterized in that during the step of choosing 
at least one admissible public RSA-exponent a step of additionally choosing at least one 
basic public RSA-exponent is performed, for each of which basic public RSA-exponents 
an arbitrary limiting multiplicity is chosen, and an arbitrary public RSA-exponent consti- 
tuted from the chosen basic public RSA-exponents is accepted as the admissible public 

20 RSA-exponent, a multiplicity of each chosen basic public RSA-exponent being taken 
within a range of the chosen limiting multiplicity, during the step of creating the blinded 
data a step of RSA-encryption the chosen blinding key is performed, the encryption RSA- 
key by which the step of RSA-encryption being performed during the step of creating the 
blinded data is chosen corresponding to an RSA-exponent constituted from the chosen ba- 

25 sic public RSA-exponents each of which being taken in the chosen limiting multiplicity, 
the step of arbitrarily choosing the secret RSA-key corresponding to the chosen secret 
factors and arbitrary admissible public RSA-exponent is performed by arbitrarily choosing 
utilized multiplicities of the basic public RSA-exponents within a range of the chosen lim- 
iting multiplicities of the basic public RSA-exponents, and the unblinding key is created by 

30 RSA-encryption of the blinding key with the encryption RSA-key as a module of which 
the RSA-module is taken, and whose RSA-exponent corresponds to the basic public RSA- 
exponents, each of said basic public RSA-exponents being taken in a multiplicity equal to 
the difference between the limiting multiplicity corresponding to said basic public RSA- 
exponent and the utilized multiplicity chosen in the step of arbitrarily choosing the secret 

35 key and corresponding to said limiting multiplicity. 

23. The method for making a blind digital RSA-signature according to Claim 22, charac- 
terized in that the step of choosing the randomized blinding key is performed by means of 
a random-number generator. 

24. The method for making a blind digital RSA-signature according to Claim 22, charac- 
40 terized in that in the step of creating the blinded data the step of RSA-encryption of the 

chosen blinding key is performed by consecutive RSA-encryptions with the encryption 
RSA-keys, the RSA-module being taken as a module of each of said RSA-keys, and the 
basic public RSA-exponents being taken as the RSA-exponents, each of said basic public 
RSA-exponents being taken in the chosen limiting multiplicity. 
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25. The method for making a blind digital RSA-signature according to Claim 22, charac- 
terized in that the step of creating the unblinding key by RSA-encryption of the blinding 
key with the encryption RSA-key is performed by consecutive RSA-encryptions with the 
encryption RSA-keys, the RSA-module being taken as a module of each of said RSA-keys, 
and the basic public RS A-exponents being taken as the RSA-exponents, each of said basic 
public RSA-exponents being taken in the multiplicity equal to the difference between the 
limiting multiplicity corresponding to said basic public RSA-exponent, and a utilized mul- 
tiplicity chosen in the step of arbitrarily choosing the secret key and corresponding to said 
limiting multiplicity. 

26. The method for making a blind digital RSA-signature according to Claim 22, charac- 
terized in that the step of RSA-encryption during steps of creating the blinded data and 
creating the unblinding key is performed by means of a modular exponentiator. 

27. The method for making a blind digital RSA-signature according to Claim 22, charac- 
terized in that the digital RSA-signature on the blinded data is created by means of a 
modular exponentiator. 
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28. An apparatus for making a blind digital RSA-signature, comprising a blinding key 
choice unit having a random-number generator and a blinding unit having a modular expo- 
nentiator whose module input being connected to a module input of the blinding unit and 
whose exponent input being connected to a blinding key input of the blinding unit, said 

5 blinding unit has an initial data input and one output being connected to a signature data 
input of a signature unit which has a secret key input and one output being connected to an 
unblinding data input of an unblinding unit which has a signature output, a module input, 
an exponent input and a blinding key input, characterized in that a base input of the 
modular exponentiator of the blinding unit is connected to the initial data input of the 

10 blinding unit, and the output of the modular exponentiator is connected to the output of the 
blinding unit, the unblinding unit has additionally an initial data input and comprises a 
modular multiplicative Euclidean converter (MMEC) having a module input, base inputs 
and exponent inputs corresponding to each of said base inputs, the module input of the un- 
blinding unit being connected to the module input of the MMEC, the initial data input of 

15 the unblinding unit being connected to one of the base inputs of the MMEC, and an un- 
blinding data input of the unblinding unit being connected to another base input of the 
MMEC, the blinding key input of the unblinding unit is connected to the exponent input of 
the MMEC which corresponds to the base input of the MMEC connected to the unblinding 
data input of the unblinding unit, and the exponent input of the unblinding unit is con- 

20 nected to the exponent input of the MMEC which corresponds to the base input of the 
MMEC connected to the initial data input of the unblinding unit, and the output of the un- 
blinding unit is connected to the output of the MMEC, the blinding key choice unit com- 
prises additionally an arithmetic controller with two limiting inputs which are accepted 
conditionally as first and second limiting inputs, the arithmetic controller being connected 

25 to the random-number generator, an output of the arithmetic controller is connected to the 
output of the blinding key choice unit, and the arithmetic controller is made so as to pro- 
vide output data of the blinding key choice unit coprime to integers fed onto the first lim- 
iting input of the arithmetic controller, and to provide the divisibility of the output data of 
the blinding key choice unit with an integer fed onto the second limiting input of the arith- 

30 metic controller. 

29. The apparatus for making a blind digital RSA-signature according to Claim 28, char- 
acterized in that the connection of the arithmetic controller to the random-number genera- 
tor is performed by means of connecting the output of the random-number generator to the 
input accepted conditionally as test data input of the arithmetic controller, and coprimality 

3 5 of the output data of the blinding key choice unit to integers fed onto the first limiting input 
of the arithmetic controller and the divisibility of the output data of the blinding key choice 
unit with an integer fed onto the second limiting input of the arithmetic controller are pro- 
vided by means of that the arithmetic controller comprises a multiplier and a coprimality 
tester, the first limiting input of the arithmetic controller being connected to an input of the 

40 coprimality tester, the test data input being connected to another input of the coprimality 
tester and to an argument input of the multiplier, an output of the coprimality tester being 
connected to a loading input of the multiplier, and the second limiting input of the arithm- 
etic controller being connected to the argument input of the multiplier, whose output is 
connected to the output of the arithmetic controller. 
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Abstract 

The essence of the invention is in that when making a digital blind RSA-signature a new 
technique for blinding an initial data by a RSA-encryption and corresponding technique for 
unblinding the signed blinded data are employed, which gives the possibility to use an un- 
5 limited number of kinds of the signature in electronic systems of the mass scale service. 
The untraceability is ensured by a corresponding choice of the randomized exponent R, 
RSA-key used in RSA-encryption the initial data, and by the public module N properties 
verified in an arbitrary time moment. In so doing, N=PQ, where P and Q are secret prime 
factors, and R is multiple to N-l . In other variants of the invention the diversity of kinds of 
10 the signature is set by limitings on multiplicities of public exponents, said limitings being 
chosen prior to blinding the initial data. The apparatus to realize the method for making a 
digital blind RSA-signature comprises a blinding unit based on a modular exponentiator, 
and a corresponding unblinding unit. 
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Regulations, §I.5«(a) widen became available between tfee filing data of fte. Briar mrnfittrtims 
Biwf the national »r POT ^national itnng flate of mis application: mmmmm 


Appln. Serial Nn. 


FtJing Date 


T -*«apssssa=s^!( 

States: Patented. PendiBSf Ah ait^ottej J 


□ Patented D Pending U Ab» n d»«»A 


□ Fateated □ Pending □ Ahgm Wd 


O Patented DPeadlng. QAbando^J 


OT 


o 


NOU-03-1999 11=05 


HOMEP TBTBDOHB : 

LfiCKENBACH BIEGEL 


HQS. 35 lggg 19:00 CTP3 
914 723 4300 P. 03/27 


POWER OF ATTORNEY 


I hereby appoint the following attorneys) and/or agentf*) to prosecute the application entitled 
METHOD FOR MAKING A BLIND RS A-SIGNATtfRE AM) APPARATUS THEREFOR 
and *o transact ail business in the Paten* and Trademwk Ofiflce connected therewith- 
HENRY A, MARZULLO, JR., Reg. No. 2&$M- 

HOWARD N. ARONSON, Reg. No. 21^02; and 

MYROJV GREENSPAN, Reg, No. 2S^S0f 

MARVIN BSU5MAN, iwg, a&m. 
Address All telephone calls fa Myron Greenspan, at telephone number (91 4) 723-4300 

or to Hie attorney executing Hie last document Address all correspondence to 

LACKJXBACH Sir^EXMARgULLO ARONSON & GREENSPAN, EC at i^rffcm^ 

Snife, One Chase Road, Scarsdale, Ntw ¥5i¥l85^UTS.A < _ 

I hereby declare that alt statements made herein of my own Knowledge are true and that 

all statements made on information and belief are believed to be tine; and further that these 

statements went made mfh tke knowledge Ui*t willful ^Uiements and the like so made 

are punishable hy Cue vr imprisonment, or both, muter Section IWl of Title IS of the United 

States Code, and that 5«eb willful false statements may jeopardize the validity of the 


J Full NaMe of First w Sole Inventor 

Citimiship , .;./.";-' ' J 
•' Russian •■' : ' ' - | 

. | RESIDENCE Address — Street 

S&snfrvy B&i, MolodwwawUs, Ky,20 

POST OFFICE Address -Street 1 
^ same as residence) J 

Ci1y<ZSp>.. , '".-^ccV 
ISS537, Leiimaradsbaya oblast 

City pp) , ' 1 

State or Country 
Russia 

State or Country 

Date 


Foil Name of Second Joint Inventor 
.. ivan VladinUrovich KlifZNETSOV 

Citizenship 

Russian 

RESIDENCE Address - Street 
L «L Saltikov-Shedrina. 48. fcv_ Sfi 

POST OFFICE Address - Street 
{same as residence) 

Jaty(Zip) 

191123. &dntJ>~i~ n f mrr 

tlry(Zin) J 

State 9r Country 

Russia KM. Y 

State or Country | 

I Date ^A,/. 

Saaiatere ^^f&LL if 

« Agonal inventors are being named on separately narobenffi^attaclSdKi. 
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HOE. 05 1999 19:02 CTP4 
914 723 4300 p 9 Q4s2? 


, 1 Full Name of Third Johtt Inventor 
Andrev Geanadiwich MOSHGKES- 

Citizenship ■ ' : \ 


"ifiiMii restt&teeV .io' 1 ." j 


Chycap) • V': : }; v -- ;;;> '' 1 

State or Country '.:> . ' ■ !> 'i $--V "•■ . y 

{ Russia'. / :: ;.--'';-^'-^^H t - v ^''' 

Slate ttrCepiitiy" ' 

I Bate /for.&y %&0;r : , 

Signature j^^^^^ 

I Full Name of Fourth Joint lureiitor 

Citizeasliip ' ' 1 . 
Russian .■ •• ■ 


POST G111CE Address - Street ' :. 

/c<mi ft ag 'weirfaiMtAl 

• 191114 -SainfePeteratmrg / 


Stote w Canatry . "^^^ " 
Russia ; " ' ' l\' ' v & : ';.r : : 

. State or Camntty '_. ' v- '7 . •„ • • ■ 


Signature ' \Cui^*^rr* ■ : . '"'J 

M Name of Fifffi Joliit Sole Inventor 

atiztushlp . ■.-.'"."■'•I 

■ Russian ,■' ■; y\ 

RESIDENCE Address - Sfr$# 

J iii Rnkifihi aa i__ ^ 1. 1„ jj 

POST RTTFTrF Add race Stoat f 


City (Zip) 1 

State or Country 0 [ / (/ 
Russia 

State or Comtfry 


Signature S^V^^^ 


n Additional inventors are being named m separately a timbered sheets Attached hereto. 


